<<< Date Index >>>     <<< Thread Index >>>

Re: ZoneAlarm remote Denial Of Service exploit



In-Reply-To: <20030902145734.2258.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

ZONE LABS SECURITY ADVISORY
DENIAL OF SERVICE REPORT

OVERVIEW
Zone Labs has found no evidence that, under real-world conditions, its 
products are vulnerable to the Denial of Service attack described by 
HackologyTeam@xxxxxxxxx at the BugTraq site and mailing list. There is 
also no evidence that Zone Labs products are vulnerable to the similar 
attack described by sprog@xxxxxxxxx in the follow-up post to BugTraq. 

Date Published: September 3, 2003

EFFECT ON ZONE LABS USERS
Little or none. 

ZONE LABS PRODUCTS
Zone Labs tests do not show that computers employing Zone Labs Integrity?, 
ZoneAlarm® Pro, ZoneAlarm Plus, and ZoneAlarm security products are 
vulnerable to this attack in real-world situations.

DESCRIPTION
This Denial of Service (DoS) attempt sends a barrage of UDP packets to a 
PC protected with ZoneAlarm 3.7 or ZoneAlarm Pro 4.0. The vulnerability 
reporter claims that this packet flood causes the target PC to hang. Zone 
Labs' testing did NOT show this under real-world conditions (described 
below). In the vulnerability report, the attacker included the Perl script 
to launch the attack. Other important information, such as type of PC and 
connection speed, was not specified.

IMPACT
Because the initial report lacked important information, Zone Labs tested 
the Perl script on multiple PCs with a variety of network speeds. We were 
unable to replicate the results the testers claim. We noted the following 
results: 

1) While we have seen a somewhat higher CPU usage and related slow-down on 
the target machine, we have not seen anything resembling a DoS attack. The 
largest slowdown occurred on a direct computer-to-computer 100-MBit 
network. Even in that setup, we never observed a complete freeze under any 
conditions. (Nor were other methods of UDP flooding effective.) For a  
real-world DoS attack to succeed, it would need to be effective at much 
slower connection speeds more typical for Internet connections (for 
example, 1.5-MBit for a T1 or DSL connection).

2) Zone Labs Integrity, ZoneAlarm, ZoneAlarm Plus, and ZoneAlarm Pro were 
not disabled as a result of the attacks, and the security of the test 
machines was never compromised by the attempted DoS attack. Once the 
attempted attacks stopped, the CPU usage went down to normal levels 
immediately. 

RECOMMENDED ACTIONS
Install any Zone Labs product to protect against UDP-flood attacks. Zone 
Labs' tests did not show a Denial of Service result. We will be addressing 
the relatively minor performance issues in upcoming releases. Note that in 
the typical definition of a Denial of Service attack, the target is a 
server PC (whose service is thus denied). ZoneAlarm, ZoneAlarm Plus, and 
ZoneAlarm Pro are not designed to protect server platforms. The following 
supported platform list applies to Zone Labs products: 
http://www.zonelabs.com/store/content/support/znalmGeneralFAQ.jsp#9general

RELATED RESOURCES
BugTraq posting: http://www.securityfocus.com/archive/1/335830/2003-08-
30/2003-09-05/0

CREDITS
This report first appeared on the BugTraq vulnerability list. Zone Labs 
adheres to the vulnerability disclosure guidelines found at 
http://www.wiretrip.net/rfp/policy.html. These guidelines specify 
informing a vendor before public disclosure of a possible vulnerability, 
so a security fix may be created to protect users before malicious 
software takes advantage of the exploit. We encourage all vulnerability 
reporters to follow the same procedure. To report a vulnerability, please 
send an email to security@xxxxxxxxxxxxx

CONTACT
Zone Labs customers who are concerned about this issue or have additional 
technical questions may reach our Technical Support group at: 
http://www.zonelabs.com/store/content/support/support.jsp. 

COPYRIGHT (c) 2003 by Zone Labs Incorporated
Permission to redistribute this alert electronically is granted as long as 
it is not edited in any way unless authorized by Zone Labs. Reprinting the 
whole or part of this alert in any medium other than electronically 
requires permission from Zone Labs.


>
>
>
># Overview : 
>#
># ZoneAlarm is a firewall software
># package designed for Microsoft Windows 
># operating systems that blocks intrusion 
># attempts, trusted by millions, and has 
># advanced privacy features like worms, 
># Trojan horses, and spyware protection. 
># ZoneAlarm is distributed and maintained 
># by Zone Labs.http://www.zonelabs.com
>#
># Details :
>#
># ZoneAlarm was found vulnerable to a
># serious vulnerability leading to a
># remote Denial Of Service condition due 
># to failure to handle udp random 
># packets, if an attacker sends multiple 
># udp packets to multiple ports 0-65000, 
># the machine will hang up until the
># attacker stop flooding.